GZipDe: An Encrypted Downloader Serving Metasploit

Get the latest security news in your inbox.

At the end of May a Middle Eastern news network published an article about the next Shanghai Cooperation Organization Summit. A week ago, AlienVault Labs detected a new malicious document targeting the area. It uses a piece of text taken from the report as a decoy:

This is the first step of a multistage infection in which several servers and artifacts are involved. Although the final goal seems to be the installation of a Metasploit backdoor, we found an interesting .NET downloader which uses a custom encryption method to obfuscate process memory and evade antivirus detection.

Malicious Document

The file, which was uploaded to VirusTotal by a user in Afghanistan, contains macro malware embedded in a MS Office Word document (.doc). When opened, it executes a Visual Basic script stored as a hexadecimal stream, and executes a new task in a hidden Powershell console:

We are missing the next step of the infection chain as the server is now offline.

Based on the common path we believe this file is related, and may be part of the later infection steps: http://118.193.251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent.exe.

GZipDe - The Encrypted Downloader

The internal name of this malware is Gzipde, as specified by the path it was built on the attacker’s machine:

DocumentsVisual Studio 2008ProjectsgzipdegzipdeobjDebuggzipde.pdb

We found the original reverse-tcp payload publicly available on GitHub, although the attacker added an additional layer of encryption payload to that version. It consists of a Base64 string, named GZipDe, which is zip-compressed and custom-encrypted with a symmetric key algorithm, likely to avoid antivirus detection.

The key is described as an array of bytes, with the values:

After decompression, it passes through a decryptor. The encryption method used is RC4 with a key length of 23 bytes.

The malware allocates a new memory page with execute, read and write privileges. Then it copies the contents of the decrypted payload and launches a new thread to execute it.

The script uses WaitForSingleObject C# class, meaning that the program accesses a mutex object. A special handler controls the access of the process to system resources. This prevents multiple instances of the same malware to run at a time, unnecessarily increasing resource usage and producing more network noise.

The payload contains shellcode that contacts the server at 175.194.42[.]8. Whilst the server isn’t up, Shodan recorded it serving a Metasploit payload:

The Metasploit payload

The server, 175.194.42[.]8, delivers a Metasploit payload. It contains shellcode to bypass system detection (since it looks to have a valid DOS header) and a Meterpreter payload - a capable backdoor. For example, it can gather information from the system and contact the command and control server to receive further commands.

This shellcode loads the entire DLL into memory, so it’s able to operate while writing no information into the disk. This operation is called Reflective DLL injection. From this point, the attacker can transmit any other payload in order to acquire elevated privileges and move within the local network.

Jose is a Security Researcher and a part of the AT&T Alien Labs team. His interest in development led Jose to work as an Application Security Engineer and Scrum Master in the past. Nowadays he enjoys watching old-fashioned movies, researching threat models, and finding new mechanisms to detect malware. Also, he is an enthusiast of information theory and physics.